[quake3-bugzilla] [Bug 4810] Using a MD5 hash instead of clear-text password
bugzilla-daemon at icculus.org
bugzilla-daemon at icculus.org
Sun Dec 5 07:50:07 EST 2010
http://bugzilla.icculus.org/show_bug.cgi?id=4810
Thilo Schulz <arny at ats.s.bawue.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |arny at ats.s.bawue.de
--- Comment #1 from Thilo Schulz <arny at ats.s.bawue.de> 2010-12-03 15:19:58 EST ---
Interesting. This would only give limited security though, because if someone
can sniff the password, he can also fake an rcon command coming from a
connected client (only as long as it is connected though).
It would also remove the possibility to send rcon commands without being
connected.
--- Comment #2 from uZu <uzu at qlone.org> 2010-12-05 07:50:02 EST ---
(In reply to comment #1)
thx for this feedback
> Interesting. This would only give limited security though, because if someone
> can sniff the password, he can also fake an rcon command coming from a
> connected client (only as long as it is connected though).
If the client's challenge really is what it seems to be (a unique identifier
for a connected client), I don't think you can spoof an rcon command, but I may
be wrong or too confident on the challenge notion here. Adding the qport to the
hash may help hardening the hash though.
> It would also remove the possibility to send rcon commands without being
> connected.
yes, in that case, using that kind of MD5 hash isn't possible (although there's
always the possibility to send a clear-text password)
--
Configure bugmail: http://bugzilla.icculus.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
More information about the quake3-bugzilla
mailing list